wannacry | 7690e785a0e17bb22a778afd21610bfe2e62a2f5d2a93e0d6b3ddab9f266437c

Resubmissions

27-11-2024 19:00

241127-xnsp4sskfl 7

27-11-2024 18:32

241127-w6v3hs1mfm 10

27-11-2024 18:26

241127-w3b58svlcx 10

Analysis

max time kernel
1036s
max time network
1040s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-11-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PythonPcCrasher.py
Size

2KB
MD5

d24850b91f327ff7c4964f977f947765
SHA1

8484e62f2c6fbae5f6209b925628765c389610f5
SHA256

7690e785a0e17bb22a778afd21610bfe2e62a2f5d2a93e0d6b3ddab9f266437c
SHA512

bbdef8da1c04e13a16cad90231abcc1917af5b7e4310e08800f935b4973b61a815f85bf65442601cfdfeb15b0f584128f05b3966842e53b117f9e066f06746b7

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2F59.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2F60.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 41 IoCs

pid	Process
5252	taskdl.exe
1456	@[email protected]
2836	@[email protected]
3904	taskhsvc.exe
4788	taskdl.exe
5500	taskse.exe
1992	@[email protected]
1168	taskse.exe
3452	@[email protected]
5180	taskdl.exe
3040	@[email protected]
1768	taskse.exe
4352	taskdl.exe
132	taskse.exe
3804	@[email protected]
3980	taskdl.exe
1472	taskse.exe
3852	@[email protected]
4596	taskdl.exe
1184	taskse.exe
2304	@[email protected]
4964	taskdl.exe
4932	@[email protected]
4036	taskse.exe
2464	taskdl.exe
4700	taskse.exe
4100	@[email protected]
3420	taskdl.exe
1508	taskse.exe
5940	@[email protected]
6124	taskdl.exe
668	@[email protected]
1592	@[email protected]
3076	@[email protected]
5072	@[email protected]
5932	taskse.exe
4728	@[email protected]
5044	taskdl.exe
5492	taskse.exe
3288	@[email protected]
2780	taskdl.exe

Loads dropped DLL 7 IoCs

pid	Process
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1184	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhvfvgsevfiqy755 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
235	raw.githubusercontent.com
244	raw.githubusercontent.com
248	raw.githubusercontent.com
256	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772062633272664"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5392	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6028	Winword.exe
6028	Winword.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
5608	msedge.exe
5608	msedge.exe
5448	msedge.exe
5448	msedge.exe
2004	msedge.exe
2004	msedge.exe
2732	msedge.exe
2732	msedge.exe
2368	msedge.exe
2368	msedge.exe
2440	identity_helper.exe
2440	identity_helper.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4404	msedge.exe
4352	msedge.exe
4352	msedge.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe
3904	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1992	@[email protected]
5996	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
2396	chrome.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeCreatePagefilePrivilege	2396	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
2396	chrome.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
5448	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe
2004	msedge.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
4840	OpenWith.exe
3020	MiniSearchHost.exe
1456	@[email protected]
2836	@[email protected]
2836	@[email protected]
1456	@[email protected]
1992	@[email protected]
1992	@[email protected]
3452	@[email protected]
3040	@[email protected]
3804	@[email protected]
3852	@[email protected]
2304	@[email protected]
4932	@[email protected]
4932	@[email protected]
4100	@[email protected]
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
6028	Winword.exe
6028	Winword.exe
6028	Winword.exe
6028	Winword.exe
6028	Winword.exe
6028	Winword.exe
5940	@[email protected]
668	@[email protected]
1592	@[email protected]
3076	@[email protected]
5072	@[email protected]
4728	@[email protected]
3288	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3620	2396	chrome.exe	85
PID 2396 wrote to memory of 3620	2396	chrome.exe	85
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 3116	2396	chrome.exe	86
PID 2396 wrote to memory of 2272	2396	chrome.exe	87
PID 2396 wrote to memory of 2272	2396	chrome.exe	87
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88
PID 2396 wrote to memory of 1876	2396	chrome.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4516	attrib.exe
3208	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PythonPcCrasher.py
1⤵
- Modifies registry class
PID:5776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc68c8cc40,0x7ffc68c8cc4c,0x7ffc68c8cc58
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4872,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3360,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,10082413289189745763,10664468252670838136,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc63be3cb8,0x7ffc63be3cc8,0x7ffc63be3cd8
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,1546559712229824900,4941675420963418141,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,1546559712229824900,4941675420963418141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1708,1546559712229824900,4941675420963418141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,1546559712229824900,4941675420963418141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,1546559712229824900,4941675420963418141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,1546559712229824900,4941675420963418141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,1546559712229824900,4941675420963418141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1484

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc63be3cb8,0x7ffc63be3cc8,0x7ffc63be3cd8
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5156 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9064 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8884 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8720 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13613088050553929719,7554323076380771589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8976 /prefetch:1
  2⤵
  PID:1624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2744
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4516
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 187291732733056.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3208
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:5372
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5500
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qhvfvgsevfiqy755" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qhvfvgsevfiqy755" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5392
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5180
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3452
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:132
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3804
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3980
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4100
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3420
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5940
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6124
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5932
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5492
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3288
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4680

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\276c7aa17fbf482da4117c7840272fdd /t 3988 /p 1992
1⤵
PID:3728

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5996
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Public\Desktop\@[email protected]"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6028

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:668

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
f2fb06eaaf406715658780f93309019c

SHA1
e00207003d9f80f7a430230591dd8283160383c4

SHA256
5602fee183028adb7fba01ffb2e7b2a24928901a0897f65c7f75106576a8a327

SHA512
5169c612fa135861fa791ec9b4f69edf72eb248bf58d136f927c15b0425a0cb3e29f3ad8908e449da77b84d3c3422d01607f4b0ef2bf3c696186c3a1d2546378

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\17506109-e5d8-419a-a330-9f5fc7d8833c.tmp

Filesize
9KB

MD5
842516888657145de675569ccb68019e

SHA1
e69883a2e0d701438a290c9680883762971592e1

SHA256
e886fcb44651be31aefd593c3bac15e0e00a0664231de8e37478b6f9183a05b3

SHA512
d40caafe3fc39080b9122fd30237f0c72a1e23143bb69c2e82991b8aff2b219e2307ec19ab796f53797e2dcfa229423c48fad5cde180e4b38d791d9a25edbd59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1cd87210eb2a2757896f2de788723245

SHA1
175a998a6141e28f7f88510957fea679276ad3c3

SHA256
406aa62721e29a183fea35029a023a1f8abf4c319186d2b61aef5725682d4e77

SHA512
a560e03c91d8753432e672137be5e1539f75d4af7ebc223937b367ff7040de26f9ecb1731fa819eac5050d5b9f8ad277c94469bd1e16a8ab30210a7ffd65d743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
30f54fceaea793601aafbefd345d7587

SHA1
5e0286714488461b5b8e2b45b758a3d2066e6b2c

SHA256
9b1864d4abe332bbcc382adb20da1ad5ad916ebf9f52a1831d9691ebef565639

SHA512
78c70cdecb92ce7cbb06554042d8c4e0aac10efb7c755f08ac568036b08f0ab90d4da83ff7ed7538dad35459e14797c633d79d21f0c37eb9b0b5dce853c7e19f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
74c11207df832eab1fa43eeb35cd18e2

SHA1
2cf3d036fa5a2b2e0fda9c332b13cec39c129c2b

SHA256
cd376621d707df5223f793ac69a4353d96388d5ce1e72a8e1b4f78f5babe5f05

SHA512
af45fe120f23ca48d19346bffc0a10ca146a264a287b5b661ce1bfc615ebd6f0af2329ee65cae250fe6ba47c97797e3d0affdcd3be540702518804ca7f20e667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
613122d17c7893ef1b454ee41f6cece4

SHA1
7e130ded9266b58dd96947beca32a7f4f501a622

SHA256
2af80d4ce148583beef97ff27c3704a6c7da895ec5c87a421060eb791406d0cd

SHA512
950e21e9fa0375ac431b081d34fa3b79f19fbe7dcd48a1ba9315b27ff8eff29759ff5fa8aba23c7f4b101592aa62bec875951217c41371e55c7e631339fde07b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ae1e46f412b7eeed89821859356501b2

SHA1
d592397212f22c37e638c2ec8cfb8a50a594aaaf

SHA256
482b8dad1ae0367ac7bf33664eb56e102b2cf11df2e05615c8a79fcd8dbb52cc

SHA512
84b5a5bf2e81f6bfe011663b5808202ebb66c7f5158e60338707f620de937404d59039fc6817ee4187ce1cf5c4e6a302acfac67a849fff68dc2bbd67b8e14e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6458af6d9e336f7ca6edeb91065bb395

SHA1
9970f364319b8fe1c33619b96635f5afdd811ce0

SHA256
9b3a89a24c7998511f51a0d82a6ebfbc8a141333b8f01fc3934e4bc36fb625c6

SHA512
a188a5dcada59a48720f83cad74613f5eb202ffaf1c4b33da08ba503eedbd6be246b2297a8db5cb0db146f2612d650ef7139af61c98ccf331afc741a6de97a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
c0b11ee33dfeb81d7b3447a256acbec3

SHA1
8799e57f0577f3271969d3dd9b0da596de4ac52c

SHA256
4900e0ee501a8aefb04d1f3644370860594d3747cbf662b14243cf09cbe3cff0

SHA512
74b0ce62f7889ae22395ad5840720de63ebc39f27fe32935afe8fe0b884f44a938dc4ffb172c7092b9d83814af0f8456ccb7b2c73f3373662e3aea7dd766da67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e195539101ec29855fc0a2dbe9427337

SHA1
e54e5f2c337e487b42181355e6cbb59f4bde1f75

SHA256
f98096a2ed6dbcaefad4a583cb2d847fb4965e45ba22084ff20da55ea046b018

SHA512
ae641185fb6e76dde16575f5ac0eeb6ec613f0e3cddd8a1b837428e0f05a9c55fb53c5632fbfdd6f2022a8edf46e27ea37e39a075a1553f1919e883bc8f5887b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1594cf3dc554295edbb4f068d0b38a5f

SHA1
bb025f7b2edbd4a97eaecdf453bdeec2dc2a7f82

SHA256
317c2ba4f169059bc83f5f4915f3ffc2ad5c0bc4fcf1761ce1f0fa9a9ac8007b

SHA512
3da58979958f3cc2a83511c056fc9b7e890b674c39e8f0008f79e7fcda10a758a2257468e188dba923d75dfc396b8edc3c4f08599b278806c5a77ed7e4c975c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4941d72400d29bfcaff03e8639d246ea

SHA1
5cad7c4896baababa4976d4b1d15f7ba0c5bda10

SHA256
eedc93426ddd11e8bbcf98bb2927dbe49af5179a08c838991a876dcaca2b3805

SHA512
f0c7ad805628f2704482f29df5cfaa33806ca5d9ad5834e28949e28c5be7d120f142664a197c0da874d4030c730aaa701c341928af55c25d3a87e90a9419a400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57f1d6c14122369e197a76c074cc439d

SHA1
3ad32ce425aeb47f0089e019c569235776ee5234

SHA256
3f1700ceb83b9ef2b3c4ed138a3cce3188485ad514b15c6a0607b56ec3c0ecad

SHA512
de73687af1bf8a74027a795bf24ce2abec8a370ad0d2cf5c8378372d52faee802e0f37036b8085378b05f9409bf4192abca2c4e94dbfb25f078baf6d90991710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87b44480dffb2ab8ad9031deeb1a5784

SHA1
3919764bfd2a5f1e0a814cb2c3802764a87fdae3

SHA256
f0520dd5feb3de6ade69445d17ddbac733f3582f527c22639a15703a5ac38ed0

SHA512
10d1efc6203cf4eaf173291b4efcc983613304be4817c50666d2085d4279ff3553a31f76c8eef317bf8f9496d8befb90388347f9df1327b621aa0c5a47eed6e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f74b909e10dce41d8beafe8d32c87fb6

SHA1
4ec5d394cde99990a44f63b865aaa8a5c55ba544

SHA256
e7891158b79b98d4aea8c63323315f11e85801a0fa96250dc29b898200d6a63c

SHA512
aa5381a264ae8e8eaba9e67f48cecd05a5ed1267f4d5d99dcff84ce0bc768edb45cfdb79376c06cd125304c08aeba2b4b8a93f326c6c794f4d72903ba5dd9127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9ecc0cc6c6ba95521536c164ba15856a

SHA1
710b205b0d84041087617ba1467f6ca52c0da7e7

SHA256
e1a620ed040707578bf91770808191d696f74578b906803462570b80839d91cb

SHA512
0714351d5d63f0502f677146ecebeb11aaccea978efc39dac40a61de0bc4e6268f1259ba70ae3627816bd6c9af79ede12b590e88e62dfeb15f3dd082c58456e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
73b6c7d3c442786ec67fcea92ebc42a5

SHA1
4a74b65f74a7a29bc69777ebaa1eba3a076483b1

SHA256
4d8cf2c08c184505e466d6917f08c389a2ad92f8a39fa772581f6e01811b9d1e

SHA512
dce19a1e256604c63b3d59054f2354179a56c792686d67dfc1e519e02a7e8b2717b6cd095b9538cba10ffb8277ad6655abe77ab2813f0a9286349210d35041ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
6baae261daf281d18f2a68b04dd45f53

SHA1
5ae498a79398c25a38539414f6e9db73deb0cc36

SHA256
2164725564a3c53d12b333085c50e20b7f85cf074afbe0e52ba0e1a411610caf

SHA512
0dcd49357edb4bf997f6e16b30ae4208a755342928b09a1c803b4e50a0f7d2fef74d6df1c5d93ded5c0c427f3b282d71c03d4dae048a831f40e486f485a998f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
c86b50b0822c057243f95706145dbb7b

SHA1
171b44b8feea6d4ad970a7f01f81aa329ec3fdbf

SHA256
22e4722600158c5220f23b1533f1cb3d6edc1babfeef6c745e9b5a95d58b0fb6

SHA512
fac9499feb75b44b83102cad7d83ab75536299af8d977186820993626e99dd031cd96190cb525d8d206a17a6c840493d37754d656a5cd0467cd72c55363b4d21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
6fc237be056c8544e788bb3590320a52

SHA1
4f4377e5bbb6ea08464ac5e80ff96713013a6fb2

SHA256
cd6a571d3889e6999f7051a747574da5ac552ac9467b4ac23d5c8a39058d2932

SHA512
33f8ffbf648c312650c8223c56df7cd72783d7e32bd62b4ca07bd049990c1daaf2f2802205f67c7f882373bdbb78cb5e979b3c899d4b1006c9e1a64e7f994df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0864baffb2650857264fa33fa0dd59bc

SHA1
e67b0e38b64fbcd90b7d83c3c0260a6f2c501415

SHA256
cbd11507192daa9dc59a5842b0d83b1bd2f55ae2335523f3b0a3e2c1c9a4032a

SHA512
c6c51efd91ac3d542c0071aed78c8c332d555896740798569aebc6b0c266ef15d0d2e19acc7c1399255890a4122493b7f67bf0c637d74fbeda2fe3b4cde13f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b730e71d53558ae0f0be5e1d8691d82

SHA1
4266645fb7c9effc143a2de998cc0ff3cbc6fb23

SHA256
18b008a937e7a27532e1ae8860c031edb390299f476455e9b04fedf374dfaae5

SHA512
a98872c484470e991963c3d6976aacbe598324fa4ca723efabbe977b322c8b0c26a51a14899b6aa08b16970e91d2ece509982beca232cf13faf68b8e6fef5e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\89dc9c37-ad42-4bdb-a503-1a41aa916083.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
03db4c871eb92376c829498a61ab0765

SHA1
3d94b429655e62bd1b045cd2fd90370a8d8c7fdd

SHA256
1514388cb5599084ed89760f04cad32d1f4e3f2cc2a53251a4a2aceb8d3914ca

SHA512
c16ed3b9655778fe5d615609e0d3d8935ab20382a5cd11912f97769073a728157f09e5c8dcc9376d74c6860f32f05bf2dcd8fa618ec1ee68edce48caa58af253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
1b1e389858b56d290a903dd3aae8d165

SHA1
bfb372b8242dbe0477f0dfd98386143a1a64fbaa

SHA256
0d0ceae7c8e0091d4bb4a2d1cf6cc1ecc8bdd81f2d9920351cb5de410f8441a9

SHA512
f792d19bcf22634528745a31da3d6a2b53c2c6a320be47ddfe1e5583ead33687197716fbd9190d65b3cc1965f38311559d6f8c025805ee088290c2b9a7d9fafc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
ec585384339cd33229b1b8c0b74061ae

SHA1
760c71ed7b4925797f2e4682533d41ab68e6855b

SHA256
252038b31c02028994a3439cf5fa1ce9d0cc6923ce12ec4b777838a140fcee02

SHA512
2cc260242ff1c50a2aafdc2de673af261262ee7f3259d336135914f8ceeefb85214d60a36a85c2842120caf0a063215d99f6b674964b7a78d91cf8eba48b96f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
67KB

MD5
ce58019b091dbdb1895be63d765b1177

SHA1
37a38458a92835c43b270069c0629c6975b2ba69

SHA256
8defb86fd585d1e578370bac22698f0de49d509d7398a0e83fbae7a9d11e0fcf

SHA512
36be843dd5630cf0c76219459b2ff946fa91ab90be31e3ac62452642a79a062b9d7aaae14a0ad8fd92b1a6d468394f1aa8bfe45f262f33e34048b46e046a1b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2631ee88c5912c55000f9b52854305eb

SHA1
5c480c45ec87dd791f24f7e9d34ea2190b6ac81b

SHA256
4f6a857ac33dfa29cbe87c21c9faf1e16a7dc02ecd39aeb2c0ef8a65c710597d

SHA512
22e2e9215eb3695fa473180977870222b80a73427d786d75873dfb054b62c1026b1831f170358f56060da96daf32c68643ec261a344b9da1fa922a1d8b312451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
54095803120b786ee68e4d5675d59bf8

SHA1
9a840f73763e901ea89f14de1f03fb1c5dd1195e

SHA256
38ff3859c4a34418a258fe3cb27d73d585e26b985d0f2463a3f2c6cc50891f71

SHA512
fbf8fa44b2f1a3291f6f08d223028bbe40bd805887cd3d4c1df1cf6b91a2dbd67b700d19c36f52e286bb39786d4faa705bca132e9a0dc8b4dd3bc0275bf4abca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6960700d6bc28f0dc6d2df0297c7f9c4

SHA1
9f75331ee6b8dd24310d71f95cf6c1510dc0eea3

SHA256
3c3e0e601cd3071c666eeb16c6197564e78c806eae82160a8aac4fbe367b176f

SHA512
4b5e5bb48db78c0a1804de0b80e3b35dbaeacb3628f65094a8382b1ed9868bff3ca0123b15ca39f1029416bd5f74d8dff10b957d0eb4ce6887f98b63828ba3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
947d53ab6842ad58dc03622bd8df65a9

SHA1
0c7e1fb82e63ba76d7f4f7a16ae5b2af13623579

SHA256
33fee4b375ec3bf26bf44e552c8cd544eafadb4ac17904ca6aee41134df603be

SHA512
d6fe0f309dbd3d24193a31434566448fbbfcf3d840d5d5177798ddc79ac018129ba7b192571ef673bd24561a50bc48720e5debe3e0a509d7337ebb7e78ac0c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
2c4b8b579df184d0d8224848587cfc98

SHA1
d52a97db1d4980c693951707c5eddf519adf67e2

SHA256
6064820e499f1c76dd67ff51851230c3e7ba104d55d6aa280925fc8a6f993e2d

SHA512
e8f1da94f795b54ab562624e0e076202dec71506a4bbac551ce8617b4031380e0fb069ce7a41c3f5189f5768bad68191026ca8b7661a16658ed99ccc1765f068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
322b249df204f3b62faec875f62f3484

SHA1
b40494f0b62726e920d08c666527a28bc342f05d

SHA256
8307658d040208bca04c61643d3f5cd10e84e776400854e19c67dfd2c431465e

SHA512
c59755da75c914370368615dd37e545a96ce5e5174d6771df05214c708a2486610efe7e1896a8dd7f9787a8ad4fc2c6387933cb9bd1e1d87e7ea16b2e8923496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
9d7c4bcf190e10486cdae6078dfdd91f

SHA1
a8994c6e69356cf669105d0fc1236ac64c71aedb

SHA256
273881fdadf4db97d1d420a65bb82a9008686c151115a8f29ed7346a9b256716

SHA512
97ab396a1864905aabd1c76cd4c13d3bbdf3b32f0ec186dd37e9615bbb091b00edca070c2d15beb720c0195dff278bba4e2380d89492bbdbde4477caab860191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8052df98b3fab55f86982deba4ade2e2

SHA1
4824a03704f1e4db36fe84e20db828e4dd7a51fa

SHA256
8da18b4a0a1436543ffd4285a8c47c49003827dc28478297f676fd5a65d4dd61

SHA512
508f7dc261966bcffe5a7ac277256c7bf5ffb2cc32388246ea197378b75d0fc305ef5b668192618a657a50450e63188f97e505505fdf0519c958ecc4aa44be58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2bc38af0d57ed55f6b1d54558ffc2137

SHA1
fab8d5822790095ae794a67acb1a262990b7473c

SHA256
437cfb1fb36ac06651354beaa0ffcf3387c6719f71ab42964068bef59ba6dc13

SHA512
ab8cb31dd978c4c820673d89efb48ec143ea12813e95e0b3f4314c53325d438f8c6823ebfe8e01a084acfa588e9cebc091f9f390e20c6f380d7c0c8347cdf8ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
44fbfb5d6d241fcc936fb89b234a2cde

SHA1
856fc08ead50822cc935f02499464ec6a0246506

SHA256
8d0bb3632c5abaa65b18d154db0a949f47ff27e237575044c9a821ce540de492

SHA512
5c806a324945b58d257d289dcd4c525ce33e848f90d33423519af3a21f7f13114b89f8e74a34c58775f3e588ef0a474297e336fef8a4e9681f3154f820a463be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83acd6cd39b51dfd4f444845cd13f732

SHA1
31f54bb79f03d7555bd4d2041ad972db24904f63

SHA256
3bf28ea96aae263aa34fb2e15784059685cef08a436a1a0042061ce9401f129f

SHA512
69a80ba8c0fccde47685c6269b3bd4a6f4b921bc3b1831d9df58988f1f015c8e7d0b5da7c3762404a0e0cf9e2bb42870701f592afb03c8e6e7ac4ad7412a5a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fbdc8dc7a07a95419535372a66b5573d

SHA1
197c7c1ec67cb1c82ecd18157496b0ed9a6aaed7

SHA256
209353ad1ddcfa8ef82fe0f2ff4dfe9c389a7985aa79c6859037154bf7b3b6e2

SHA512
3555b7933f284cf25176b23c8cb8c1ac219830d047fcdc7763dbf2018ddf76889a09f169fab1cb7dca41a9fa9a473740298d70f60dd3942ee05a75edd6cfd7d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
5688f51f5376aa0c7e16eea8252d9dfc

SHA1
6d8e48569f15b772d543bd32808d6f7e10727743

SHA256
4a46f0c5b5858aac5f6fc0c6f517073d486044b0313f5f7163ba18949c504183

SHA512
7ec9b4d1a4e77096c38bafb4d50e272bd34d704e947fbbb0aba521b0ecc918046ee51708d8b869f4561dbfdf9b9446785f6717a9fa893a893296470d47f82da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c6e81f9a74d9f1b66ed28d1bfaaccce7

SHA1
820082528587928ae8fc1e854315eb6e3663da51

SHA256
50e517e6a5126518e93366797ad197db671ea0e66de64e06430ecc30ddbe5249

SHA512
cdb21c64a0b5d95ed7e8f9cfc2fa86a08caa367bb9eec340e83238922741b14cbc85e6ed82e7c005f6e815325063af5d8fd5bf467702df6e912843ed79610756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e226b8fd7e5da848d7ad5fbf9feb7160

SHA1
a7f0bdb9001e13d9738fad8899988a190c23a1df

SHA256
c6520cad32694cde1eed2d786e5d77de640c73cd79a5e731967e77dc0dc76eb8

SHA512
8ff3c8392412117a264e5d95014da675c5d4942178b4b4d43e465d2040b18daef8f438acc43dad1e2876de42e23d227714166ac9ef76dba2fcfcc3311aa7886e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
f2e87eab714652e688c445627a9db510

SHA1
d860afed1774cc74a711f3636d20eed41397bddd

SHA256
21b36603dd47243e5c442a9c7de55caa39ef79ad38b032a4423000a3f87a6d17

SHA512
9d2d386156a10549ef97349c8f3c2696695ed1a0226fe86714bfa14ae9e38b9416c904886d77b15935de8f6cbbfc09ad7d4194021a967da7fb33c74f06e93396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
36b6810b1185d08dc59ff82948160bbb

SHA1
2a97b495a963ce39acac8f5870f8958eee23018f

SHA256
f8f4c79fda05d4f58ecba0759204a079a091e35c184e92fc70878aa0742669cf

SHA512
b47a973c5c19c0c0c477f13c5f812d8380427e6b4a5bb1042ac199d738fc42061a4ea00aeaff897bf32be1f8b021e4b064e20d192e8a3d0a0648fddb1aba4081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
38e5d014c9d7604448232a9a8546eb2a

SHA1
48239234ec678cf9d1c2af8ba40d00c9dbcb6924

SHA256
5cda2417f57bb25330f7d317a7a70c7602642c6629d786f4710228073b1a3986

SHA512
0735155d85a60c469f8c15be1f1eb205636d1a9416e327624930e3b38b872131ae61107690471526ba59b26b0b0170b44bd1d21bf2264aee890f5c487547e322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da94f1143fc51e0666ddfb8fec408a18

SHA1
26560b063a3abbe51022712a08e1587df06a6652

SHA256
34d9f5241394ac996cc85a96fb150e123a77603241d40af1aab820df3b8ddeda

SHA512
bce386d2cc6907eb8159751eae5f06db513dd343966e111e0de8fcccff3084196122b60d8c29292a816e4051de2e6f8822e91596cfb3bf129cadca5314ee88c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
701dd7ecd4a5fed2639cb6bcff33c667

SHA1
e07570a6b423acd55cfff31e680aa79bb0656bd4

SHA256
4f4d7463c50c3e339de1dada9c2f06e1aa26f96dd1fddb260efed7adbb8ca9be

SHA512
fa72827375f9700089251729c103aabf6195cbb1becad2064475b133e9722d6f515e30adfab037eb4d9cebb27ea8344243869892e1953b66928a4d1e290b55e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL-journal

Filesize
28KB

MD5
526f22f292e263e5918c03c258fbf91a

SHA1
f0894e4a797db05981f223db379cfb22772e0745

SHA256
0a917c5171025c21c5911441dbeb2120cc37d8c028187631f9eccec5fbae2372

SHA512
ac6934f3e7c22f88c41d98ff1e5c915aabab4d435f025935f40d6afdfef72d9505c2f79c45a17e8b75b19d17f5495c0a340ce283ce166550446bfc27cbc468f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b8ef664050decb89910807ef3543bbd3

SHA1
56556409444eec9db94a32db044ad776a00d3b32

SHA256
7eb97951ee88f83417d448e61ec03fa5dddde631dec0a858e1f869d6a192a48c

SHA512
5971ae77143ae6a059c219ba7ba585228c41fa2eb4f41fd4c10c36308aaff296da1239faa6b575d0eaad0195ead492cdecc479ca5d04dd0ce5ef9e8be968c0d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe60c3a2.TMP

Filesize
48B

MD5
6d988f4eb54c728676c3809acf3982f0

SHA1
ae74613f71fb5b6f1cf7ad758921ec0a5086ecf3

SHA256
b231d6b42eb46a9f741320c36945e8ad7d9640f32a9b40d542cacef1924f20e7

SHA512
5d71af419b429705834cb51de0587c338fabc156a839decc248e9129c340f92624d96505325f06e4cee86c12b36c9412ea2993af572c79e3e9853e7a04968411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
0d79f5294106776f5803faf0d32eea4a

SHA1
9c4c5a0b62414e95b9fb7362e03ee1464bd12f77

SHA256
84417935163e46504705bb36381a05c1afbe2c523ecd2eb23727c7e57c56df64

SHA512
588c9c346bd81a2a3013a540076634ee2664de32df74061e23a782efa9dcdb3bf0d4c596c0cb1c7d453f7ee4b86cd4d6226f730d3b9b223790807dc4c78f566e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13377206253845986

Filesize
1KB

MD5
50680615b70b0159bfad49498863f857

SHA1
0615b75262716948e655edad36a1880a472f70d9

SHA256
c661526f7975380c360f2ae8fb88e183972e9430946dbfffb35049d3598a526c

SHA512
c94534864652e9fcfe2349ac1530a9e3aa2ed5b16e3c8a0d4042d39f59d212c4ffcdb5d693e3d9b399ddd1f137f44d550434680dd4d4218477369ee5ddb9a441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13377206254003986

Filesize
1KB

MD5
ced4f19790195b8f4857297aa91977d3

SHA1
d0956bc2aa01a9b06d6815428e395755d99e5a6b

SHA256
a3094ac2dd664176186c56e74c6ab45b8bf6e6c8c2b45c5ddb1116f53abef0d8

SHA512
90dfe4d28d7cf1f78e70292692d2baa18717b0042a8b035ee1dbb5a0b0129f757504d03df3313f29d7a59598f182b1ea35c1828a764b8f91c145d277fcaf0d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
b0bba5aeb6f5c230745d56ed94fa6542

SHA1
827765595d9f8c3b503ee7d222572b3d764b51c3

SHA256
d367d79fba753a0a8ea394a58a7cf5e7955e63f66e4b052a2060725c9ddd64d3

SHA512
b2e57a013efce786b19eefc7b685b0dc1d7f651962a4fac645a7533e76a45d70c8996c168a6d12c752c0f26b24546cb8611da8a99c486f0d9b1c03da36179d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
af382b12e3f0d066e5b19152c39cffe3

SHA1
408b1cee2005fbfd6ea6e66e3baaf332a7a2d6b7

SHA256
fbb8b539258459158d61ae1690b9a1e4979da4390a6ae69e064a86480f2ea07a

SHA512
cff67d3a7a2d5ac3c3e4ca29feb9033be32f338d4c0e8de33ed21c24b06835f6f6f9b4a8d90ce2e7755a177f604f249253f6e93f01493927e604d88adf95a025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
20d352a340f57468239cc72cb354f270

SHA1
a376b363a1798d4de873b77ac91e148a801ad3a9

SHA256
75d7cad596692c5cb2bc271b6b0de899e97ba8a7628e50a69cf0511e5dee5da7

SHA512
a3a2c603306444d960eb8ae6040bdeba9ca33326ef5328b4f0f6b8210944f1c894022312f0e0945f50e2fa55ebb3a00ab913be9cb10403d2216069875bcb080d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1bd44a0dda258fd5a3adb8f047af2653

SHA1
4b89bba9b22219f8df0fe6808a9d564c7970b536

SHA256
5f422bb429868396a6e85cc889b9eb6c18529705b670233197c2e997b6c5a328

SHA512
ffa543452310f0fdc27009fa5bf15a2f6c31c2b8080d50df2c7fe3436e9fb40b939b5a9e3fffa85b114d7f322d9825d2d58d62c2aa53ab61feeb5297b98f7951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f3c5b6b1da2f81cc8951c446a5ee1c6a

SHA1
ce869e674168ed74b8eb42104bfaea7d67f7c718

SHA256
bb0004348115a2482c0fa1d7bd7eabcb32856772b5ecdfd9a23acb383cd7f410

SHA512
e0fcedb197859adeebd40eedb5351476921d4098a78947544576b2e9b6be545ade01d62dadf15cf5cc2ee01ee4058531d9c7594134af7f21fc37f1ee62ca2fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8a17975def4f64e2970187fb6bba4260

SHA1
4e73a41f7dbb810ab7b5b8c3718714eeada4149d

SHA256
145ddb44ae77bda9e8b9fadf8bb0336a68d999401e9789f371b1454107a4eb8c

SHA512
778d2aeec0a69ba2bcc9dbd45b4d9d9d881f3f2c375b7999c24be7e34afac7a555ff66add3f21dc7456636c808bf970cf630d658ab4a8caf9c050b4803fe7e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
78df0aec24b298d9d01637579d98b891

SHA1
8d3ded5c1bb1b587cddc0e7a9f1bc387dc8717e4

SHA256
144a61df8f2b7161ed3410abcc55a2742cf4df4e7f200240df7535bf4931826c

SHA512
7fbdf62f77a93750feb3cee5dc2a0066056f2b6f6674c62bbbf1d0b58f1947ca9ffc7697b9b3574594edfbb793f169c0485d8c3a7efb69c813eff48407a871de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4b78caa44c4d9622fc0b16524f7d78f6

SHA1
cb2da9822f3725b95e4c1f88d84e326f764c8a47

SHA256
9149ff53f790e8e079f009c217a27ee8aed815ab7c50b4d1137430f6e93afb69

SHA512
cf0e2ad27408fd42886e85bf70cec6c400ca38c229ee4474bcf3652b16e48ef4a875bc879baa52f9222d734d23c7f2d28fa1334087070ed125037b1ae7d0de2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4f298a322bf271ac14ac03e056623c3a

SHA1
5b7ecf2ce3ff66ba5548be8aa63f4a323f785acd

SHA256
97b7fa00de27c2cfb26797e688c212a88ed19483e33e5bbf131952ea68cef62b

SHA512
231ebd3ae523859a9f07ececd38c125ef9c5b0b4d952210fbd7bb757a603f7e956c11132be2590df6cb49c06a1b74623dccf495a816eec96663c37eecd783f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fe0a6d5e2cab62aa458f69b91c2e5406

SHA1
ac7e855ba89f0b7ac734e5d6ee2297da957a677f

SHA256
d25cbfcccf00a29ca35dca68d81e1e7e01ccf25268be39aac5c52535ae8222c8

SHA512
f15f50cd293c3462b3f1b68035d2f85d46cce04660e9c43feadcf88e74def6444f158e187da8a1e383dc434f0f1510fcee6b3dfa142f654f55bb40f14bffab91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe60957e.TMP

Filesize
538B

MD5
f4898e286686017193df216b0e8f78ab

SHA1
4f6f6bc78507483b4e47582645f989a5959d79af

SHA256
958be437ea848af06abfbf5a52f4746453c2abc9cb17a84645bbf835a1e415b7

SHA512
ca6b010b6333a168f215cda8d5df975fa3e343f0648bc48a95a57b3ee729c9a2e2d05fef13d71fded1772a63301ee4595f30b2a28fe0e8d5d55e3a7cf81d6696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
1e6c456e64cff542fa08602495ff2c0b

SHA1
8073f3d91c8d79a92ffb3857d419e486d015dd32

SHA256
db3a4b55c90beaa4626b95357ea84f192419355a45b5546d817ab56789f71181

SHA512
daa2ae9bd30a6be440693f6a9c2b05a1bc15b750c8734aedeabab439f35e7a541e6f41a39b321007e4e4669c3da57d9a20723b7e598a678d47de83af080727bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
b1b1fa30152d32764ea0480c80d3024b

SHA1
6eb4971f42b7ba6a691f63769367abef81f9e325

SHA256
6e899baa6e1046cd88e3c68ddd95e965d7e922d90c6618832324a386d2f048b2

SHA512
630df3895422b0a9409894b56ef001532ab36721485e1302ceb04e9eb4c4aeb51fb609938baf1f42ad65d7dd5c89051a022397782342846d220ad8b04d645917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
a42b9c9e1446c51d9a0a003b8e05ef21

SHA1
4ac986a1424d2d557788b3c58c2b91c24316a182

SHA256
733cd4ade46f6596d244701a448e740e9adba8be142556b853c80bf4b44e8c51

SHA512
3bc282e9c70cc9021c0efbdf57f7938ed7d2b86af1d128c71bc7b94da41588dceeed9e82a4cad18fce385bccdba7f992e96c828349569b567f49c5e2ccb1c736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
52f40f6e3ac85fc9bf2eedd7985b5a01

SHA1
3faf9fc110927901fa9870ab2301033e04902d84

SHA256
a5563932f5de951bd24374a6b8f4d8211d65bf8d980278d0f5931ae61475d805

SHA512
8ddd4b0c5e7f4132b4480eb1747e0724e308817d837863cfce004d133c911770bcfead8bd5e2f399fece89556a28c3310eb5b803a78da4a181369d727777abec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
572f38cec6cfa4b00048567256b99c5c

SHA1
2574d88f8a2fcba8af0da18306e168a74e0404b2

SHA256
b7acd0359ab01f4b7a50bef4dbaebc24dc1ee5e150ece7d9b621b69e7aa581d7

SHA512
8c817c0c1e71eb53f7479649c93b30d138746f71a70e6fb9bc3b3f7e913399cf7bf19413f9f5e8f8c7c35bcd4b33e2e33bad3c57926e35d14720d1fa03c32605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
aeceb73c58b34032b2087f3e71158cfc

SHA1
8e089a5da0657dd4b438a922012e4f023ff14d4a

SHA256
f60f35d7d0297c8bbd9d0b3e35b1b484ebcd58e023f250d044a49cf297c82014

SHA512
7ca91c5789d46cd6b77bce8a2efbc8cb43bd9e4401921d01f5b7a45d74c37f64eba48189ade0f427086bfa233b356df616c00806f6562d01e323b21e4244e7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
ef9588ca82f853399e5968af99985e74

SHA1
80d9df4f75c3e789ddf10584d9ff9de2b6154cb0

SHA256
9d550015f47a4d5d502f8a2f5b33bd9cbd136f4fea7c64754c8cc5a9651f7fe5

SHA512
a77b6b0bcea459ab4fc1e5d0983e85b86a6b0835849345f6afbfb27a5e84d8d1a38ff16e21ecf862e95d0a74e3fe97fda28bea66752b8bd64fd44c8ba680a5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba8142abd3ffef9dc834251a86eeba0a

SHA1
bd5670a03ce78145b5a9bf492b4bd91af0c7915e

SHA256
ef5ccf1687aa490602c82c9f285beac89ed4211bc1c85dcccc835de85d99ba01

SHA512
ae835cd5f4db9d1aecef4285ae1bd8aee96bdcc5fa922af7107261e3c914ddce983e086bb883d2ba64d1dd63e3ce626fd5638c777cc4a3bb0be16754c1c2ea54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11e0c1e5ec9b0c509b664f9d2d19c35b

SHA1
6606ae34fcbb567167496424bf5d57b6e8dfe252

SHA256
9f66b75e945328c7cca1bf164167b99a31cc4124700908f6e68f194a34dd174a

SHA512
c7672e2e05d3791be8d9a1d061dc54c42462cef2dd040b110d07166e265f8da96bbd007d0ec0d7435faeed273b787be724c4511110adc4683ac0e6def65da6c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
41bbd91fa0f55b4cb842b529f21e1250

SHA1
f80d43102983f7c150388ee1e7c1b2faf37cea6e

SHA256
a24c4eff977ce2bd773d33cc14e758853fd522396daffce1a33efd6b3c32b28b

SHA512
c1de7912166cbfbc37b4bee287f5f434b0a71701fc994e5ad545d6b3caad6629817e264e8185d42bc0ac35422230ba43fe7e9918d263ad7d329e56feb9a45aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14b7a479f60b472a8a52a2038fcc95f4

SHA1
037e0899e62e3770668aac54c1a244ec338f23c8

SHA256
8b1b4725d584128270b6ed27529164479d86470d952001d6b108d867ca2429bd

SHA512
91abb374189c8284c990118722a6bdc54901252ebbfaa7d7e6eac29d8f816109ae2a3ba369ff8c4a416dd8d4febeb634bf738efe11f87a360a65582d4f4fa5c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
41d9ba76e04ad6a81f8b91fe21a46265

SHA1
bbfdba6bc68e3cdb83447fc6e1c80a09077d29cb

SHA256
821ea49987c50b4d3a550e4696ca7a9299dcb3412a7591d81c4cd70ed286d6b0

SHA512
029bd5f67d0e8f3919c6640157ac0e1ebfc6b03e619cfcc675e7d84122ccc14a178fb915a079413b32cf638c25bd1794710cc7575fff066b061fea24c5ab2099

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\45b6f065-c6c2-4f22-802c-75ce84ca64fe.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
99d3ecd709464e38b25be3ab947ad5c9

SHA1
f3753394a5fef90f29dca347abd40adf15e9a47d

SHA256
c87c395c07643e24dfa5b59915b602dea53bf7c7fa7db991af59b84a122c91a3

SHA512
a694c3c842ea72e34d654998cc38a98ec5f3b53727a377789ab10ca49845e7dc1334c945bafc659a489f5c0cd65180c08b13d69d0780a2855c95a1978c58c991

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
711f1a880c08e1f7867f1bdd117320b7

SHA1
50c2d0859f6fd41024d486e2ab537507b975991d

SHA256
f868e98aa21c341e365d73e301d87c006b557033d8d7b2808fed207734fe5143

SHA512
885c2abd9047727b33ea760836cbbe4eaf5fddc08375a8b37840c99332131f0f7164f87c0abeb4523f42262349ab12a1c22c12813a9d81d6955c7d20b41a9a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
cd5e0c94e183c90d7df58e8427425ad7

SHA1
772eb704219eaa97158e4bb7fa26b8f24d7c79b5

SHA256
5f9b70e89ea9a71c07fcd86b298caaa12e92e218888918d08ce2cc9856dffc60

SHA512
7a0da0eedbac42c87561e233f07fa5e693dfad97455173cf6506c078c50df26bb0f1a25f3aa687676ab65ab5666e3a74762faf1e96148bb012cb64d6790b334b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.6MB

MD5
7d47f03fa7eed442d90f9b684f3772c6

SHA1
e6da8b0a97c4e9978fb131b9f0f79ab85716742a

SHA256
de61ac2bb6360028d52db545acc081f8cb8b42e7db763b28b1c30bbb89b77864

SHA512
885912793537d33d10b4aa24fcb8f79e5404e7982e6e9fcac4ade2ce6bc9bb7406abc35dc4beb1807f45d00a3caf68023191bd11cc03ed44b225ac94761ddd36

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/2744-1478-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3904-2736-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/3904-2767-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2730-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2734-0x00000000740B0000-0x0000000074132000-memory.dmp

Filesize
520KB

Download
memory/3904-2733-0x0000000074140000-0x00000000741C2000-memory.dmp

Filesize
520KB

Download
memory/3904-2732-0x00000000741D0000-0x00000000741F2000-memory.dmp

Filesize
136KB

Download
memory/3904-2731-0x0000000074200000-0x000000007421C000-memory.dmp

Filesize
112KB

Download
memory/3904-2707-0x00000000740B0000-0x0000000074132000-memory.dmp

Filesize
520KB

Download
memory/3904-2749-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2755-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/3904-2756-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2735-0x0000000074030000-0x00000000740A7000-memory.dmp

Filesize
476KB

Download
memory/3904-2773-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/3904-2805-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2814-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2820-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/3904-2822-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2828-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/3904-2831-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download
memory/3904-2708-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/3904-2709-0x0000000074140000-0x00000000741C2000-memory.dmp

Filesize
520KB

Download
memory/3904-2710-0x00000000741D0000-0x00000000741F2000-memory.dmp

Filesize
136KB

Download
memory/3904-2711-0x0000000000720000-0x0000000000A1E000-memory.dmp

Filesize
3.0MB

Download